Networks are constantly being exploited using DNS for a variety of criminal purposes today. DNS is the cornerstone of the internet and attackers know that DNS is a high-value target. Without their DNS functioning properly, enterprises cannot conduct business online. DNS protocol is stateless which means attackers also cannot be traced easily.
The DNS protocol can be exploited easily. It is easy to craft DNS queries that can cause the DNS server to crash or respond with a much amplified response that can congest the bandwidth. The queries can be spoofed which means attackers can direct huge amounts of traffic to its victim with the help of unsuspecting accomplices. (open resolvers on the internet). Traditional protection like firewalls leave port 53 open and don’t do much in terms of preventing DNS attacks. All these reasons make the DNS an ideal attack target.
DNS security is a critical component of your infrastructure and a target for many of these attacks. Major challenges exist in securing DNS as it is an open global communication mechanism that is not well secured and often neglected in term. Enterprises can use purpose built hardware to secure their DNS infrastructure and apply best practices to ensure infrastructure is safe from modern day security threats.
DNS infrastructure attacks have increased up 216% in 2013 alone. Approximately 10% of all layer 3 and layer 4 attacks (infrastructure layer) were targeted at DNS and this number has been growing rapidly, according to Prolexic. Arbor conducted the Infrastructure Security Survey and got about 220 responses between Nov 2012 and October 2013. Among those who responded, 80% said they experienced a DNS application layer attack. DNS is considered as the major attack vector protocol when it comes to layer 7 attacks.
Reflection attacks are attacks that use a third party DNS server, mostly an open resolver, in the internet to propagate a DDoS attack on the victim’s server. A recursive server will process queries from any IP address and return responses. An attacker spoofs the DNS queries he sends to the recursive server by including the victim’s IP address as the source IP in the queries. So when the recursive name server receives the requests, it sends all the responses to the victim’s IP address.
DrDoS or Distributed Reflection Denial of Service uses multiple such “host” machines or open resolvers in the internet, often thousands of servers, to launch an attack on the target victim. Amplification (described in the next row) can also be used while generating these queries to increase the impact on the victim. A high volume of such “reflected” traffic could overwhelm the victim server and bring down the victim’s site, thereby creating a Denial of Service (DoS).
DNS amplification is an attack where a large number of specially crafted DNS queries are sent to the victim server. These specially crafted queries result in a very large response that can reach up to 70 times the size of the request. Since DNS relies on the User Datagram Protocol (UDP), the attacker can use a small volume of outbound traffic to cause the DNS server to generate a much larger volume. When the victim tries to respond to these specially crafted queries, the amplification congests the DNS server’s outbound bandwidth. This results in a Denial of Service (DoS).
These are attacks that exploit vulnerabilities in the DNS software. This causes the DNS software to terminate abnormally, causing the server to stop responding or crash.
These are volumetric attacks with massive numbers of packets that consume a network’s bandwidth and resources. TCP SYN floods consist of large volumes of half-opened TCP connections. This attack takes advantage of the way TCP establishes connections. The attacking software generates spoofed packets that appear to the server to be valid new connections. These packets enter the queue, but the connection is never completed—leaving false connections in the queue until they time out. The system under attack quits responding to new connections until the attack stops. This means the server is not responding to legitimate requests from clients to open new connections, resulting in a Denial of Service (DoS).
UDP floods send large numbers of UDP packets to random ports on a remote server, which checks for applications listening to the port but doesn’t find them. The remote server is then forced to return a large number of ICMP Destination Unreachable packets to the attacker saying that the destination is unreachable. The attacker can also spoof the return IP address so that the replies don’t go to the attacker’s servers. Sending the replies exhausts the victim server’s resources and causes it to become unreachable.
ICMP attacks use network devices like routers to send error messages when a requested service is not available or the remote server cannot be reached. Examples of ICMP attacks include ping floods, ping-of-death and smurf attacks. This overwhelms the victim server or causes it to crash due to overflow of memory buffers.
Corruption of DNS cache data. It involves inserting a false address record for an Internet domain into the DNS query. If the DNS server accepts the record, subsequent requests for the address of the domain are answered with the address of a server controlled by the attacker. For as long as the false entry is cached, incoming web requests and emails will go to the attacker’s address. New cache-poisoning attacks such as the “birthday paradox” use brute force, flooding DNS responses and queries at the same time, hoping to get a match on one of the responses and poison the cache. Cache poisoning prevents access or redirects the clients to a rogue address, preventing legitimate users from accessing the company’s site. Inducing a name server to cache bogus resource records can redirect web browsers to bogus replicas of web sites, where logins, passwords and credit card numbers are captured email to hostile mail servers, where mail can be recorded or modified.
Send malformed DNS packets, including unexpected header and payload values, to the targeted server. They make use of software bugs in protocol parsing and processing implementation. The victim server stops responding by going into an infinite loop or crashes.
This attack consists of attempts to get information on the network environment before launching a large DDoS or other type of attack. Techniques include port scanning and finding versions and authors. These attacks exhibit abnormal behavior patterns that, if identified, can provide early warning. No direct effect on the server but indicates an impending attack.
This attack involves tunneling another protocol through DNS port 53—which is allowed if the firewall is configured to carry non-DNS traffic—for the purposes of data exfiltration. A free ISC-licensed tunneling application for forwarding IPv4 traffic through DNS servers is widely used in this kind of attack.
The Infoblox Secure DNS solution address the DNS security challenge. It includes our hardened appliance and OS for securing the platform, Advanced DNS Protection to defend against attacks that target the DNS and try to bring it down and finally DNS Firewall to block malware and APT from exploiting DNS to communicate with its command and control site.
Before we talk about disrupting Malware which maybe random or targeted we need to understand the problem first. The problem is malware is used to drive security breaches around sensitive information or to steal money.
Before you on the screen right now is just some of the breaches from CQ’ 2013 into CQ1’ 2014 that used Malware extensively. Let me go through a couple of examples. In the 1st quarter, the NY Times was hacked and information exfiltrated over a period of 4 months. An outside company was brought in at great expense to clean up the NY Times infrastructure. The outside vendor found 45 different malware instances only 1 of which was caught by Anti-Virus.
Another example in the 1st quarter is Facebook. Facebook was infected via a Java-based malware that was accidentally download by several Facebook employees outside of the Facebook network and brought back into the network. Facebook found the Java-based malware because a DNS administrator found a sudden burst of DNS requests for domains in Russia.In the 2nd quarter it was announced that Malware was used to steal credit card numbers and other information from the likes of VISA, JC Penneys, NASDAQ and Carrefour which totaled $300 million.
In the 3rd quarter of this year Adobe was hacked using malware and a outside security researcher discovered the breach when he found source code for 4 of Adobe’s products on a known hacker website.
Finally – Retail was big target in late CQ4’ 2013 and early CQ’2014. Neiman Marcus, Target and several others were breached and credit card information for tens of millions were stolen. Target, Neiman Marcus, URM Stores (Washington State) found that their Credit Card Point-of-Sale (Windows) computers were breached and customer credit card data stolen. Each vendor had to announce it publicly. The impact on their business was 3-fold.
Here is one more example of Malware that DNS Firewall is effective against. Cryptolocker is a new name for a piece of malware (so called Ransomware) that has been updated and is now back in distribution. CryptoLocker is a Windows-based that is spread via various “pay per infection” methods. That is the crooks pay other crooks to infect you. Currently it is being spread by at least two different ways.
One is email where the attached Malware is disguised as a PDF or voice-mail audio file. A second is via trojans already present on the machine which are commanded to download cryptolocker. Once CryptoLocker is on a Windows machine it enrypts the files on the local hard drive or shared drives by getting a encryption key from a internet based server. The encryption key is a 2048-bit RSA key. As you can see on the screen a pop-up windows informs you that your files are encrypted and you have 72 or 100 hours to pay $300 dollars or Euro’s to get access to your data.
The only way to stop the encryption process is block access to the Encryption servers on the Internet. Infoblox DNS Firewall disrupts CryptoLocker by blocking DNS queries to the Encryption servers.
1. An infected mobile device is brought into the office. Upon connection, the malware starts to spread to other devices on the network. 2. The malware makes a DNS query for “bad” domain to find “home.” The DNS Firewall has the “bad” domain in its table and blocks the connection. 3. The DNS Server is continually updated by a reputational data feed service to reflect the rapidly changing list of malicious domains. 4. Infoblox Reporting provides list of blocked attempts as well as the